Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…

Related posts:

1. FIRST and IL-CERT
2. Cyber[FUD]Fare – repost from fudsec.com
3. The China/Google thing, accountants and other miscreants

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know… sorry…) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.
I decided to start off with my prior knowledge of CyberCrime (again – definitions aside, some say eCrime, some CyberCrime, some tomato…) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were the Estonia and the Georgia ones.
Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian  – meaning that there didn’t seem to be a Kremlin general high on Vodka that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar that expected – a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that – behold – is attributed to CyberCrime. Almost like someone was trying to push me back to my “place”.
To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you probably are aware of the close ties it has with Russian authorities that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonia neighbors.
But from some greased hands that allow RBN to keep running aloof to “the first true cyberwar” is a long haul…

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it has been closely coordinated with kinetic actions taken on the ground by the Russian forces. Nevertheless, the same deniability factor plays well here – use of botnets operated mainly by CyberCriminal groups was the main attack surface.

Interestingly enough – true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s… These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution… Yeah – I’m such a sucker for the media
Too bad that the latest APT (and that’s the last time you’ll see this acronym here) is just another FUD-happy name for – wait for it – TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! run for your lives…
Seriously now. Whether state sponsored (possible…) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names…), we go back again to the FUD motivation.
According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by – you guessed it – AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It’s just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes – even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime (BlackHat, DefCon, HackerHalted, Excaliburcon, etc.) and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU and the FIRST conference.

Related posts:

1. New post on fudsec.com – CyberFUDfare
2. CyberCrime, CyberWarfare, and 2010
3. Cyber[Crime|War] – connecting the dots – BlackHat EU 2010

May not be completely safe for listening to at work (especially not with speakers…).

On that note (of shameless plugs) and as we noted on the podcast, if any of you know (or are) potential sponsors for BSides, and ExcaliburCon (especially if you have or want exposure in the Chinese market) feel free to contact us – g0d be my witness it’s not really expensive to sponsor, but critical as these shows are not cheap…

Closing up for now (until later this week probably – expect some new material), just a heads up on the upcoming speaking engagements:

April 14-15 at BlackHat EU in Barcelona, Spain.

June 13-18 at FIRST in Miami FL.

More to come soon…

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. Cyber[FUD]Fare – repost from fudsec.com
3. Identity crisis

Conference first: It was just great! No-nonsense, I have been speaking at quite a few conferences around the world, but this one really was special. From the organization, through the location and hospitality, down to the fact that we basically were less than a dozen (western) speakers hanging around all day (and night) which really was a great opportunity to make some new friends and strengthen existing friendships.

Talk wise, I have really enjoyed Nathan Hamiel’s “weaponizing the web” talk which I missed at BlackHat earlier this year – right up my alley of the past year’s research on MalWeb, and a great person in general to hang around with.

Later on Steve Topletz has been discussing intelligence on the internet and the superpowers that are engaged in it (with a strange kudos to a little country called “Israel”? Thanks Steve!) which was I’m sure an eye opener for a lot of people who were not privy to some of the data presented.

I also watched the Joe McCray deliver his “this is so easy” advanced SQL-Injection attack talk with the style we always expect Joe to deliver. Adam Laurie (Major Malfunction) has been wrecking havoc with his RFIdiots talk as usual (and in several other places where we hung around). Jordan Wiens made all this Capture-the-Flag stuff look like a big game (don’t think it is for a minute – the skill-set that a team needs to possess is just brutal, and the challenges are as hard as they are fun!). Jayson Street has been juggling with organizing the conference but managed to smoothly present his talk as well, and I can only say I’m really disappointed for missing out Chris Nickerson’s red-team testing talk (close to my heart and business), as well as Wim Remes’ Open Source Security one (one of the few true Unix guys out there and a swell chap overall ). FX did not miss his mark either as he delivered a riveting router exploitation talk (riveting for English speakers – not sure how the somewhat direct language translated to Chinese…).

Other than the conference, China has been a great experience – culturally, politically (don’t get me started), culinary (we got pictures – not for the faint of heart), and technologically (I told you not to get me started…). I have learned a lot (which should be the case for every trip and conference) and am sure to come back for more next year after WuXi will recover from the can of pawnage we have opened up there.

The rest of the stories may not be SFW and deserve a been to be divulged, so until then, keep safe!

Related posts:

1. Cyber[FUD]Fare – repost from fudsec.com
2. The China/Google thing, accountants and other miscreants
3. It’s all about the money

Related posts:

1. Drawing the line – securing an organization while thinking of users…
2. Practical vs. Regulatory – the votes are in!
3. IFRAME is a security risk???

I’ve just finished reading a great little note from Brian Krebs on the Washington Post that enabled me to “out” (don’t worry, I won’t) an incident that some of us in the security industry have been following in the last few days. One of “ours” has been hijacked on Tweeter, and the impersonator who hijacked him was twittering some rants and raves that actually close to this person’s professional life.

This makes you think again of what we have been discussing in the annual threat report on social networking threats getting real. Once again, our recommendation is – get your online identity straightened out. Make sure you are aware of who you are online, own your identity online – even if that means registering to the major social networks just to “plant your flag” as Brian so eloquently put it (as long as you point the flag to the social networking identity you actually use…).

Check out the original article by Brian here, and our annual report here [PDF].

Related posts:

1. The oracle strikes again – “Browser OS” threats start to appear
2. Blocking Facebook? Not popular, and not effective
3. Social networking threats – the “hacker” story

Just like BBC’s botnet debacle which fueled a vivid discussion amongst security circles, debating if the exposure is good (i.e., raising awareness to the threat) or bad (i.e., not really ethical, everyone knew about the ability to rent a botnet), CBS’s 60 minutes had a 15 minute spot focusing on Conficker. Check it out here:

On one hand, getting more awareness out there is great – not a lot of people realize how real the threat is, and how organized is the business of managing that threat (favorite quotes – it’s like a business, and uses advertising to promote itself). On the other hand, getting all rattled up towards April 1st might not be effective and may cause an uncalled for panic (and yes, a rush to buy or upgrade security software, which is probably why a certain vendor is highlighted on the CBS piece…).

Bottom line – keep cool, make sure you surf securely, and don’t click on every possible link you are presented with (think first, count to ten, and then click).

Related posts:

1. Conficker continues its rounds. Hits 9 million mark
2. Are you Conficker-proof? Do you really need to be?
3. Cyber[FUD]Fare – repost from fudsec.com

Moving on from the social networking issues we outlined in the past couple of weeks, after following the predictions, and their materialization (here, here, here in the announcement of Gmail offline, here, and here), we can already see the “Browser OS”, as we dubbed it in our annual threat and predictions report, begin to materialize as well.

As per a recent Register article, threats related to Google Gears™ have started to appear – taking advantage of the extended capabilities granted to the browser – just like we predicted in our report. We named Google’s Gears, Adobe’s Air and Microsoft’s Silverlight as the prominent technologies that would be the enabler for the “Browser OS” and would be scrutinized for their security implications.

As always, we are not here to say “nay” to every new technology – just the opposite these technologies are the future, and they enable businesses and individuals alike to be more productive and have a better web experience. The only claim here is that more focus should be put on measures that take these technologies into account when implying to provide internet and web security, and enough forward looking vision to execute on it.

Related posts:

1. Gear up – predictions for 2009 has begun to materialize
2. More on the browser OS – from Microsoft Research
3. It’s a browser! It’s an Operating System! It’s… brOSer?!

This new feature is basically an implementation for a new header (X-FRAME-OPTIONS) that is returned from a server which defines the scope of “netsing” that is allowed for a specific site. This means that sites can potentially have control over whether their content is allowed to be rendered inside an IFrame element – and where (on pages from 3rd party sites, only on pages within the site itself, or not at all).

The solution that is being proposed here is nice, but time will tell if or when sites would start adopting it. Nevertheless, while playing around with the new feature behavior, I noticed that without much PR, Firefox is also supporting the same functionality.

Image 1: blocking the inclusion of a site in an IFRAME where the site returned a header X-FRAME-OPTIONS: DENY

Image 2: Firefox blocking the included IFrame, and showing the actual header returned from the site.

Now with only Chrome and Opera to jump on the bandwagon, we might actually have a chance to see some changes in the web security landscape (as you may remember – most of the web borne attacks are delivered through the inclusion of an invisible IFrame hosting malicious code). That isif only this protocol could have been reversed to define that no IFrames should be rendered ON a said site, thus preventing injected IFrame elements from being delivered to the users of a compromised site.

Related posts:

1. Blocking legitimate sites in real-time
2. Fighting eCrime? We are not there yet!
3. Blocking Facebook? Not popular, and not effective

I’ve been asked to contribute once again to the Microsoft BlueHat blog, and have written a quick “state of the web security” post. Check it out, and as always, feel free to comment or discuss whether in agreement or not.

The post is located here.
Cheers.

Related posts:

1. Post BlackHat, pre DefCon
2. Getting a business degree as part of Security Research?
3. New post on fudsec.com – CyberFUDfare